Time machine is great for HOME use. In the enterprise it does not have a place. When I first started with my current job, we did use time machine and provided everyone a 1 tb external (while this worked while we were alot smaller, it was not scalable, secure or maintainable). Since then we’ve gone to using CrashPlan to enable our workforce to back up remotely and securely.

Now, with time machine no longer being used or needed, we needed a way to fully disable it within our environment.

Disabling time machine is trivial as it’s built into osx macOS.

There’s a few things we can do to disable it.

First we’ll create a config profile disabling access to time machine in System Preferences jamfPro (or whatever managed platform you use). Through jamfPro you can do this by:

The above disables it from the low hanging fruit. “I clicked on time machine within the system preferences and set it up”. It also disables current setup instances from re-configuring running time machine instances… It does Not disable current running time machine instances, and as a result anytime that current running time machine instance has problems it notifies the user. With the PrefPane disabled the user is unable to fix their issue.

To Disable current running time machine instances we can run this command:

sudo tmutil disable

While this stops backups, how do we do we go about making sure that this command can’t be run by our user to configure time machine?

Unfortunately /usr/bin/tmutil is sip protected so we can’t change the file (we could delete it through recovery but that is NOT a prefered or scalable solution)

While jamfPro does block applications from running it does not block applications run via shell.

To further block this you’re going to have to use your malware or antivirus protection. The easiest way is to block the SHA256.

In CarbonBlack or Santa, you’d simply add, the following SHA256 to your black list.